b'\xc2\xa0\n\n\n\n\n    OFFICE OF THE\n    SECRETARY\n\n\n    FY 2011 Federal\n    Information Security\n    Management Act Audit:\n    More Work Needed to\n    Strengthen IT Security\n    Department-Wide\n\n\n    FINAL REPORT NO. OIG-12-007-A\n    NOVEMBER 10, 2011\n\n\n    U.S. Department of Commerce\n    Office of Inspector General\n    Office of Audit and Evaluation\n\n    FOR PUBLIC RELEASE\n\n\n\n\n\xc2\xa0\n\x0c                                                         UNITED STATES DEPARTMENT OF COMMERCE\n                                                         Office of Inspector General\n                                                         Washington. D.C. 20230\n\n\n\n\nNovember 10, 20 I I\n\nMEMORANDUM FOR:                Simon Szykman\n                               Chief Information Officer\n\n                                                    Lf?lft             r::MJ~~\nFROM:                          Allen Crawley      { /{,,\xc2\xa3~              /\'        -"0\n                               Assistant Inspector General for Systems Acquisition\n                                   and IT Security\n\n\nSUBJECT:                       FY 20 II Federal Information Security Management Act Audit: More\n                               Work Needed to Strengthen IT Security Department-Wide\n                               Final Report No. OIG-12-007-A\n\nAttached is the final report of our audit of the Department\'s information security program and\npractices, which we conducted to meet our obligations under the Federal Information Security\nManagement Act (FISMA). In FY 20 I I, we assessed the security of 10 systems from three\noperating units: Census, NOAA, and USPTO.\n\nWe found deficiencies in fundamental security planning activities that inhibit the effective\nimplementation of controls. In addition, we identified weaknesses in critical security controls\nthat place the Department\'s systems at risk. And we found flaws in the Department\'s Plan of\nAction and Milestones process that informs risk-based authorization decisions and performance\nmeasures for individuals with significant IT security responsibilities.\n\nWe are pleased that, in response to our draft report, you concurred with our findings and\nrecommendations. We have summarized your response in the report and included the\nresponse as an appendix. We will post this report on the OIG website pursuant to section 8L\nof the Inspector General Act of 1978, as amended.\n\nUnder Department Administrative Order 213-5, you have 60 calendar days from the date of\nthis memorandum to submit an audit action plan to us. The plan should outline actions you\npropose to take to address each recommendation.\n\nWe appreciate the cooperation and courtesies extended to us by your staff as well as operating\nunits\' staff during our audit. Please direct any inquiries regarding this report to me at (202) 482-\n1855, and refer to the report title in all correspondence.\n\nAttachment\n\x0ccc:    Rebecca Blank, Acting Deputy Secretary\n       Brian McGrath, Chief Information Officer, Census Bureau\n      joseph Klimavicz, Chief Information Officer, NOAA\n      john Owens, Chief Information Officer, USPTO\n      Catrina Purvis, Chief Information Officer, NESDIS\n      Larry Tyminski, Chief Information Officer, NMFS\n      Iftikhar jamil, Chief Information Officer, NWS\n      Earl Neal, Director, Office of IT Security, Infrastructure and Technology\n      Susan Schultz Searcy, Audit Liaison, Office of the Chief Information Officer\n\x0c                                           Report In Brief                       N OV E MB E R 1 0 , 2 0 1 1\n\n\n\n\nWhy We Did This Review                 OFFICE OF THE SECRETARY\nInformation security program,\nevaluation, and reporting require-\n                                       FY 2011 Federal Information Security Management Audit: More\nments for federal agencies are es-     Work Needed to Strengthen IT Security Department-Wide\ntablished by The Federal Informa-\ntion Security Management Act of        OIG-12-007-A\n2002 (FISMA). FISMA requires\nagencies to secure their informa-      WHAT WE FOUND\ntion systems through the use of\ncost-effective management, opera-      We identified deficiencies in fundamental aspects of security planning and\ntional, and technical controls.        significant security control weaknesses. These include continued failure to\nFISMA also requires inspectors         implement key controls that govern system access, securely configure\ngeneral to evaluate agencies\xe2\x80\x99 infor-   components, patch vulnerable software, and audit and monitor system\nmation security programs and prac-\n                                       events. Flaws remain in the Department\xe2\x80\x99s process for reporting and\ntices by assessing a representative\nsubset of agency systems, and to       tracking the remediation of IT security weaknesses. Overall, the entire\nreport the results to the Office of    Department needs to manage information security with greater rigor and\nManagement and Budget (OMB)            consistency.\nand Congress annually.\n                                       Specifically, we found deficiencies in:\n                                       \xe2\x80\xa2   security planning that inhibit effective implementation of security\nBackground\n                                           controls;\nThe Department of Commerce\xe2\x80\x99s\n280 information technology (IT)        \xe2\x80\xa2   critical controls thus placing the department\xe2\x80\x99s systems at risk; and\nsystems process, store, and trans-     \xe2\x80\xa2   the Department\xe2\x80\x99s Plan of Action and Milestones (POA&M) process\nmit census, economic, trade, satel-\nlite, and weather data, among oth-         that undermine effective remediation of security weaknesses.\ners, in support of its varied mis-\nsions. This year, we assessed the      WHAT WE RECOMMENDED\nsecurity of 10 information systems\nselected from three Commerce\n                                       To make the Department\xe2\x80\x99s information security program and practices\noperating units: five from the Na-     more effective, the Department should:\ntional Oceanic and Atmospheric\nAdministration (NOAA), three\n                                       \xe2\x80\xa2   Complete actions planned in response to our FY 2010 FISMA audit, as\nfrom the U.S. Patent and Trade-            quickly as possible.\nmark Office (USPTO), and two\n                                       \xe2\x80\xa2   Develop a security planning checklist, or other planning tool, to help\nfrom the Census Bureau.\n                                           system owners and authorizing officials complete and maintain\n                                           comprehensive security plans.\nIn our FY 2010 FISMA audit, we\nconcluded that the Department had\n                                       \xe2\x80\xa2   Determine the feasibility of independent reviews at key steps in the\nnot adequately secured its informa-        risk management framework to ensure greater rigor and consistency\ntion systems. The Department con-          in the security authorization process within the Department\xe2\x80\x99s various\ncurred with our recommendations            operating units. Consideration should be given to creating\nand developed an action plan to            independent review teams with representatives from different\naddress them\xe2\x80\x94but had not com-\npleted the actions by the FY 2011\n                                           operating units to share best practices and promote consistent\naudit.                                     application of Department policy.\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                                                                OFFICE OF INSPECTOR GENERAL\n\n\nContents\nIntroduction .......................................................................................................................................................1\xc2\xa0\n       Background ................................................................................................................................................2\xc2\xa0\nFindings and Recommendations ....................................................................................................................3\xc2\xa0\n   I.\xc2\xa0 Deficiencies in Security Planning Inhibit Effective Implementation of Security Controls.........3\xc2\xa0\n       A.\xc2\xa0 Hardware and software components need to be accurately identified to ensure system\n       boundaries are well-protected ..............................................................................................................3\xc2\xa0\n       B.\xc2\xa0 Responsibility for implementing controls must be established in order to provide\n       consistent, cost-effective security ......................................................................................................... 4\xc2\xa0\n       C.\xc2\xa0 The intended applications of controls must be adequately described to enable the\n       compliant implementation of controls ................................................................................................5\xc2\xa0\n   II.\xc2\xa0 Deficiencies in Critical Controls Place the Department\xe2\x80\x99s Systems at Risk ................................6\xc2\xa0\n   III.\xc2\xa0 Deficiencies in the Department\xe2\x80\x99s Plan of Action and Milestones (POA&M) Process\n       Undermine Effective Remediation of Security Weaknesses ...........................................................8\xc2\xa0\n   Recommendations ........................................................................................................................................9\xc2\xa0\nSummary of Agency Comments and OIG Response............................................................................. 10\xc2\xa0\nAppendix A: Objective, Scope, and Methodology.................................................................................. 11\xc2\xa0\nAppendix B: Agency Response ................................................................................................................... 13\xc2\xa0\n\n\n\n\n                                                                                                                       COVER: Detail of fisheries pediment,\n                                                                                                              U.S. Department of Commerce headquarters,\n                                                                                                                       by sculptor James Earle Fraser, 1934\n\n\n\n\nFINAL REPORT NO. OIG-12-007-A\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                            OFFICE OF INSPECTOR GENERAL\n\n\nIntroduction\nThe Department of Commerce\xe2\x80\x99s 280 information technology (IT) systems process, store, and\ntransmit census, economic, trade, satellite, and weather data, among others, in support of its\nvaried missions. Over time, cyber attacks and other information security threats have risen\xe2\x80\x94\nincluding those from sophisticated and well-resourced entities using persistent but difficult-to-\ndetect methods\xe2\x80\x94against both government and private industry. Government-wide, federal\nagencies are struggling to adequately implement their information security programs according\nto a recent Government Accountability Office report.1 Strengthening information security\nDepartment-wide to protect critical information systems and data is a top management\nchallenge for Department leadership2 and requires continued commitment of resources and\nmanagement attention.\n\nInformation security program, evaluation, and reporting requirements for federal agencies are\nestablished by the Federal Information Security Management Act of 2002 (FISMA). FISMA\nrequires agency heads to secure systems through the use of cost-effective management,\noperational, and technical controls. FISMA also requires inspectors general to evaluate agencies\xe2\x80\x99\ninformation security programs and practices by assessing a representative subset of agency\nsystems, and to report the results to the Office of Management and Budget (OMB) and\nCongress annually.\n\nWe assessed the security of 10 information systems selected from three Commerce operating\nunits: five from the National Oceanic and Atmospheric Administration (NOAA), three from the\nU.S. Patent and Trademark Office (USPTO), and two from the Census Bureau. The operating\nunits categorized these systems as high- or moderate-impact, based on how severely a security\nbreach would affect organizational operations, assets, or individuals.3\n\nDetails of our objective, scope, and methodology are described in appendix A.\n\nWe identified deficiencies in fundamental aspects of security planning and significant security\ncontrol weaknesses. These include continued failure to implement key controls that govern\nsystem access, securely configure components, patch vulnerable software, and audit and\nmonitor system events. Further, flaws remain in the Department\xe2\x80\x99s process for reporting and\ntracking the remediation of IT security weaknesses. Overall, the entire Department needs to\nmanage information security with greater rigor and consistency.\n\nOur FY 2011 audit of the Department\xe2\x80\x99s web applications4 also identified significant IT security\nweaknesses that put applications and information at risk of cyber attack. Both audits reaffirm\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n1\n  \xc2\xa0U.S.\xc2\xa0Government\xc2\xa0Accountability\xc2\xa0Office,\xc2\xa0October\xc2\xa02011.\xc2\xa0Weaknesses\xc2\xa0Continue\xc2\xa0Amid\xc2\xa0New\xc2\xa0Federal\xc2\xa0Efforts\xc2\xa0to\xc2\xa0\nImplement\xc2\xa0Requirements,\xc2\xa0GAO\xe2\x80\x9012\xe2\x80\x90137.\xc2\xa0\n2\n  \xc2\xa0Commerce\xc2\xa0OIG,\xc2\xa0October\xc2\xa02011.\xc2\xa0Top\xc2\xa0Management\xc2\xa0Challenges\xc2\xa0Facing\xc2\xa0the\xc2\xa0Department\xc2\xa0of\xc2\xa0Commerce,\xc2\xa0OIG\xe2\x80\x9012\xe2\x80\x90003.\xc2\xa0\n3\n  \xc2\xa0National\xc2\xa0Institute\xc2\xa0of\xc2\xa0Standards\xc2\xa0and\xc2\xa0Technology,\xc2\xa0February\xc2\xa02004.\xc2\xa0Standards\xc2\xa0for\xc2\xa0Security\xc2\xa0Categorization\xc2\xa0of\xc2\xa0Federal\xc2\xa0\nInformation\xc2\xa0and\xc2\xa0Information\xc2\xa0Systems,\xc2\xa0Federal\xc2\xa0Information\xc2\xa0Processing\xc2\xa0Standards\xc2\xa0Publication\xc2\xa0199,\xc2\xa0\xc2\xa0\n4\n  \xc2\xa0Commerce\xc2\xa0OIG,\xc2\xa0October\xc2\xa02011.\xc2\xa0Improvements\xc2\xa0Are\xc2\xa0Needed\xc2\xa0for\xc2\xa0Effective\xc2\xa0Web\xc2\xa0Security\xc2\xa0Management,\xc2\xa0OIG\xe2\x80\x9012\xe2\x80\x90002\xe2\x80\x90A.\xc2\xa0\n\n\nFINAL REPORT NO. OIG-12-007-A                                                                                    1\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                          OFFICE OF INSPECTOR GENERAL\n\nthe need to strengthen IT security Department-wide as a top management challenge. Further,\nwe recommend that the Department continue to report IT security as a significant deficiency in\nits annual Performance and Accountability Report.\n\nBackground\n\nIn our FY 2010 FISMA audit,5 we concluded that the Department\xe2\x80\x99s information security\nprogram and practices had not adequately secured Department systems. We recommended\nthat Commerce revise its IT security policy by providing more specific control implementation\nrequirements; senior managers focus on effectively and consistently implementing key controls;\nand security weaknesses that we identified be corrected. We also recommended that the\nDepartment revise how it records and tracks plans for remediating IT security weaknesses to\ninclude integrity controls, evidence requirements, and management oversight. The Department\nconcurred with our recommendations and developed an action plan to address them, but has\nnot completed the actions to date.\n\nThe Department is currently revising its IT security policy based on our recommendations. To\ncomply with revised guidelines from the National Institute of Standards and Technology (NIST),\nthe Department also will transition from assessing a system\xe2\x80\x99s security controls every 3 years to\nemphasizing continuous monitoring. The Chief Information Officer also plans to revise the\nDepartment policy for recording and tracking how operating units remedy IT security\nweaknesses, to ensure the integrity of the process and related performance measures.\n\nWe believe these efforts should strengthen the Department\xe2\x80\x99s information security program and\npractices. Until the Department successfully implements the items in its FY 2010 audit action\nplan, however, we will likely continue to find recurring security weaknesses that undermine the\nDepartment\xe2\x80\x99s ability to defend its systems and information.\n\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n5\n \xc2\xa0Commerce\xc2\xa0OIG,\xc2\xa0November\xc2\xa02010.\xc2\xa0Federal\xc2\xa0Information\xc2\xa0Security\xc2\xa0Management\xc2\xa0Act\xc2\xa0Audit\xc2\xa0Identified\xc2\xa0Significant\xc2\xa0Issues\xc2\xa0\nRequiring\xc2\xa0Management\xc2\xa0Attention,\xc2\xa0OIG\xe2\x80\x9011\xe2\x80\x90012\xe2\x80\x90A.\xc2\xa0\xc2\xa0\n\n\nFINAL REPORT NO. OIG-12-007-A                                                                                2\n\x0c \xc2\xa0 DEPARTMENT OF COMMERCE\n U.S.                                                                              OFFICE OF INSPECTOR GENERAL\n\n\n Findings and Recommendations\nI.      Deficiencies in Security Planning Inhibit Effective Implementation of Security\n        Controls\n\n Fundamental steps to managing IT security risk include establishing information system\n boundaries, allocating security controls among interdependent systems, and describing the\n intended application of controls. Consistent with many of our previous FISMA reviews,6 7 of\n the 10 systems we reviewed in FY 2011 demonstrated shortcomings in one or more of these\n essential security planning activities. The persistence of these problems is of particular concern\n because most of the systems had received more than one security authorization,7 prior to\n which their security plans should have been updated by system owners and reviewed by senior\n managers. Officials use security plans, along with security assessments and plans for remediating\n vulnerabilities, to make risk-based authorization decisions.\n\n A. Hardware and software components need to be accurately identified to ensure system boundaries\n    are well-protected\n\n The boundaries of information systems need to be well-defined in order to be well-protected.\n Identifying all hardware and software components within a system is critical to managing\n security; however, we found the identification of hardware and software was deficient in 4 of\n the 10 systems we reviewed. As a result, such components could present points of entry for\n attacks on other valuable system resources.\n\n        Examples:\n\n        \xe2\x80\xa2      One operating unit\xe2\x80\x99s databases, which support critical applications, were not clearly\n               defined as components of either its infrastructure system or its application system, and\n               our scans of the databases revealed they were not securely configured. We first\n               identified this problem in our FY 2009 review and recommended that the operating unit\n               define which system\xe2\x80\x99s boundary contained the databases so the appropriate owner\n               could assess and manage their security. In FY 2011, after we again brought this issue to\n               management\xe2\x80\x99s attention, the operating unit finally revised its infrastructure system\xe2\x80\x99s\n               boundary to include the databases.\n\n        \xe2\x80\xa2      One system lacked an accurate list of hardware and software components, which must\n               be maintained as part of continuous monitoring practices.\n \xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n 6\n   \xc2\xa0We\xc2\xa0encountered\xc2\xa0one\xc2\xa0or\xc2\xa0more\xc2\xa0of\xc2\xa0these\xc2\xa0three\xc2\xa0issues\xc2\xa0in\xc2\xa031\xc2\xa0of\xc2\xa0the\xc2\xa041\xc2\xa0(76\xc2\xa0percent)\xc2\xa0systems\xc2\xa0we\xc2\xa0reviewed\xc2\xa0in\xc2\xa0the\xc2\xa0\n previous\xc2\xa04\xc2\xa0years\xe2\x80\x99\xc2\xa0system\xc2\xa0assessments\xc2\xa0(FY\xc2\xa02007\xe2\x80\x93FY\xc2\xa02010).\xc2\xa0\n 7\n   \xc2\xa0A\xc2\xa0security\xc2\xa0authorization\xc2\xa0is\xc2\xa0the\xc2\xa0official\xc2\xa0management\xc2\xa0decision\xc2\xa0of\xc2\xa0a\xc2\xa0senior\xc2\xa0organizational\xc2\xa0official\xc2\xa0to\xc2\xa0authorize\xc2\xa0\n operation\xc2\xa0of\xc2\xa0an\xc2\xa0information\xc2\xa0system\xc2\xa0and\xc2\xa0to\xc2\xa0explicitly\xc2\xa0accept\xc2\xa0the\xc2\xa0risk\xc2\xa0to\xc2\xa0organizational\xc2\xa0operations\xc2\xa0and\xc2\xa0assets,\xc2\xa0\n individuals,\xc2\xa0other\xc2\xa0organizations,\xc2\xa0and\xc2\xa0the\xc2\xa0nation\xc2\xa0based\xc2\xa0on\xc2\xa0the\xc2\xa0implementation\xc2\xa0of\xc2\xa0an\xc2\xa0agreed\xe2\x80\x90upon\xc2\xa0set\xc2\xa0of\xc2\xa0security\xc2\xa0\n controls.\xc2\xa0Reauthorizations\xc2\xa0can\xc2\xa0be\xc2\xa0time\xe2\x80\x90driven\xc2\xa0(after\xc2\xa0the\xc2\xa0authorization\xc2\xa0period\xc2\xa0expires,\xc2\xa0which\xc2\xa0is\xc2\xa0typically\xc2\xa0between\xc2\xa01\xc2\xa0\n and\xc2\xa03\xc2\xa0years)\xc2\xa0or\xc2\xa0event\xe2\x80\x90driven\xc2\xa0(when\xc2\xa0there\xc2\xa0is\xc2\xa0a\xc2\xa0significant\xc2\xa0change\xc2\xa0to\xc2\xa0the\xc2\xa0information\xc2\xa0system).\xc2\xa0See\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9037\xc2\xa0\n (cited\xc2\xa0in\xc2\xa0appendix\xc2\xa0A).\xc2\xa0\n\n\n FINAL REPORT NO. OIG-12-007-A                                                                                      3\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                      OFFICE OF INSPECTOR GENERAL\n\n    \xe2\x80\xa2   One system was authorized to operate without a baseline of standard software that\n        would be used within the system.\n\nB. Responsibility for implementing controls must be established in order to provide consistent, cost-\n   effective security\n\nSince systems are often interconnected and interdependent, there must be a clear\nunderstanding of how security responsibilities and resources are shared. Security for multiple\ninformation systems may be provided by system-specific, common, or hybrid controls. System-\nspecific controls provide capabilities for a particular information system only; for example, an\napplication likely includes its own mechanisms for governing users\xe2\x80\x99 activities. Common controls\nprovide protections for more than one system; for example, a facility may provide physical and\nenvironmental protections for multiple systems residing in it. Hybrid controls have both\nsystem-specific and common aspects; for example, audit and monitoring of an application\nsystem could include application-specific event logging, with monitoring performed by a\nseparate network operations center.\n\nFigure 1 illustrates the allocation of security controls within an organization. If organizations can\ndetermine ways to share resources to protect the system, then they can promote more cost-\neffective and consistent information security. The process of allocating security controls makes\nspecific entities responsible and accountable for developing, implementing, assessing,\nauthorizing, and monitoring those controls. The process should involve senior personnel\nthroughout an organization and include authorizing officials, systems owners, information\nsecurity officers, information security architects, chief information officers, and risk executives.\n\n           Figure1. Allocating Security Controls to Organizational IT Systems\n\n\n\n\n           Source: OIG, adapted from NIST guidance\n\n\n\n\nFINAL REPORT NO. OIG-12-007-A                                                                           4\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                       OFFICE OF INSPECTOR GENERAL\n\nWe determined that responsibility for implementing security controls was not properly\nallocated in 5 of the 10 systems we evaluated. Our findings suggest that organization-wide\nplanning, as called for by the Risk Management Framework,8 has not occurred to the extent\nnecessary to ensure responsibility and accountability for security is properly assigned to specific\norganizational entities.\n\nExamples:\n\n       \xe2\x80\xa2      Two system security plans indicated that system-specific auditing and monitoring\n              security controls, although planned, had not been implemented for an extended time\n              (over 3 years and through two security authorizations). After we pointed out these\n              issues, the systems\xe2\x80\x99 staff suggested that it would be more appropriate for other entities\n              to provide the controls and the operating unit (responsible for both systems) would\n              need to determine who should be responsible for auditing and monitoring the systems.\n\n       \xe2\x80\xa2      One system security plan identified remote access controls as system-specific and \xe2\x80\x9cfully\n              implemented.\xe2\x80\x9d We found, however, that the system lacked the capabilities to implement\n              the control, while some control elements were being provided by other systems. We\n              also found that staff could use personal equipment to access the system remotely, in\n              violation of the system\xe2\x80\x99s security requirements.\n\n       \xe2\x80\xa2      One system was maintained by two IT contractors who failed to coordinate\n              responsibility for implementing security controls within the system.\n\nC. The intended applications of controls must be adequately described to enable the compliant\n   implementation of controls\xc2\xa0\nA necessary part of security planning is to determine how to meet specific security\nrequirements\xe2\x80\x94such as controlling access, monitoring for malicious activity, or limiting\nunnecessary services that can be exploited by an attacker. Security plans must describe each\ncontrol\xe2\x80\x99s intended application, in context, with sufficient detail to enable compliance. In\naddition, sufficiently detailed descriptions of controls give assessors information they need to\ntest the system\xe2\x80\x99s implemented security technologies.\n\nConsistent with previous FISMA reviews, 7 of 10 systems\xe2\x80\x99 security plans lacked this\ninformation, which is also necessary to understand risk. Moreover, most of the systems\ninvolved had been through more than one authorization cycle, during which the security plans\nshould have been extensively reviewed by security control assessors and others, updated by\nsystem owners, and approved by authorizing officials.\n\n    Examples:\n\n       \xe2\x80\xa2      One system\xe2\x80\x99s security plan did not describe how controls were to be applied in its\n              virtual server environment, and our technical assessment revealed that these security\n              controls were not adequately implemented.\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n8\n    \xc2\xa0See\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9037\xc2\xa0(cited\xc2\xa0in\xc2\xa0appendix\xc2\xa0A).\xc2\xa0\n\n\nFINAL REPORT NO. OIG-12-007-A                                                                             5\n\x0c  \xc2\xa0 DEPARTMENT OF COMMERCE\n  U.S.                                                                               OFFICE OF INSPECTOR GENERAL\n\n             \xe2\x80\xa2      One system was authorized to operate despite a security plan that failed to describe\n                    how it implemented authentication and access controls, configuration management, and\n                    auditing and monitoring. Because the system\xe2\x80\x99s Plan of Action and Milestones reported\n                    these missing control descriptions as IT security weaknesses (see finding below), key\n                    steps (selecting and implementing security controls) in the security authorization\n                    process were delayed and subverted.\n\n             \xe2\x80\xa2      A system security plan did not describe implementation details for significant controls,\n                    instead reporting them as planned. In four key controls that were described, we found\n                    significant inaccuracies, as well as vulnerabilities, when comparing the security plan\n                    descriptions with the actual implementations.\n\n      Deficient security plans can expose systems to risk in the long term. One system\xe2\x80\x99s support\n      staff, after experiencing large-scale turnover, admitted to inadequately understanding the\n      system\xe2\x80\x99s specific requirements and working controls.\n\nII.          Deficiencies in Critical Controls Place the Department\xe2\x80\x99s Systems at Risk\n\n      We assessed the effectiveness of a subset of key security controls that (1) control access so\n      that a system is less vulnerable to unauthorized activity, (2) establish, implement, and enforce\n      secure configuration of components so that systems are hardened against attacks, (3) identify\n      and fix security flaws before attackers can use them to compromise a system, and (4) detect\n      and monitor for intrusions to lessen the impact of compromises. These controls not only act as\n      the front-line defense against attacks, but also help minimize their effect.\n\n      During our assessment, we reviewed the systems\xe2\x80\x99 security documentation, interviewed system\n      personnel, and conducted technical examinations of system components when appropriate.\n      Security plans for six systems indicated that less than 50 percent of these key controls were\n      implemented. Staff for one system at NOAA acknowledged that its documentation was\n      inaccurate, no remediation plans were in place, and ongoing control assessments had ceased. In\n      effect, the staff was not actively managing the system\xe2\x80\x99s security. Our assessment found that\n      none of its key security controls were implemented. 9\n\n      Our assessment also revealed:\n\n              \xe2\x80\xa2      Access controls were not adequately implemented in any of the 10 systems we\n                     assessed. In one case we found that system administrators, unlike system users, had\n                     unrestricted access to the Internet, and one administrator had inappropriately\n                     conducted personal business with a foreign-based company. After we informed the\n                     operating unit\xe2\x80\x99s management, it planned to augment content filtering and monitoring\n                     controls.\n\n      \xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n      9\n       \xc2\xa0This\xc2\xa0was\xc2\xa0the\xc2\xa0third\xc2\xa0system\xc2\xa0we\xc2\xa0have\xc2\xa0reviewed\xc2\xa0in\xc2\xa0the\xc2\xa0last\xc2\xa03\xc2\xa0years\xc2\xa0where\xc2\xa0the\xc2\xa0security\xc2\xa0posture\xc2\xa0was\xc2\xa0essentially\xc2\xa0\n      unknown,\xc2\xa0yet\xc2\xa0by\xc2\xa0authorizing\xc2\xa0the\xc2\xa0systems\xc2\xa0to\xc2\xa0operate,\xc2\xa0operating\xc2\xa0unit\xc2\xa0officials\xc2\xa0asserted\xc2\xa0an\xc2\xa0understanding\xc2\xa0and\xc2\xa0\n      acceptance\xc2\xa0of\xc2\xa0risk.\xc2\xa0See\xc2\xa0FY\xc2\xa02009\xc2\xa0FISMA\xc2\xa0Assessment\xc2\xa0of\xc2\xa0the\xc2\xa0Environmental\xc2\xa0Satellite\xc2\xa0Processing\xc2\xa0Center\xc2\xa0(OAE\xe2\x80\x9019730)\xc2\xa0\n      and\xc2\xa0FY\xc2\xa02009\xc2\xa0FISMA\xc2\xa0Assessment\xc2\xa0of\xc2\xa0BIS\xc2\xa0IT\xc2\xa0Infrastructure\xc2\xa0(OSE\xe2\x80\x9019574).\xc2\xa0\n\n\n      FINAL REPORT NO. OIG-12-007-A                                                                                    6\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                                                       OFFICE OF INSPECTOR GENERAL\n\n        \xe2\x80\xa2      Secure configuration settings were not adequately defined or implemented for one or\n               more major IT products in 9 systems.\n\n        \xe2\x80\xa2      Software patches for high-risk vulnerabilities were missing in 5 systems.10\n\n        \xe2\x80\xa2      Auditable system events, which must be logged and are needed to support\n               investigations of security incidents, were not defined for 7 systems. One additional\n               system was not configured to log its required auditable events.\n\nA summary of our security control assessment is presented in figure 2.\n\n            Figure 2: Summary Assessment of Key Information System Security Controls\n\n\n\n                                         Access\xc2\xa0Control\n\n\n                            Configuration\xc2\xa0Settings\n\n\n                                Patch\xc2\xa0Management\n\n\n                        Auditing\xc2\xa0and\xc2\xa0Monitoring\n\n\n                                                                 0    1    2       3    4    5    6        7   8   9   10\n\n                                                               Systems\xc2\xa0Compliant       Systems\xc2\xa0Deficient\n\n\n            Source: OIG\n\nThese key IT security controls are necessary for effective cyber defense. With deficiencies in\nthese controls, the systems are more susceptible to attacks or other compromises of\ninformation confidentiality, integrity, and availability. Our findings were largely consistent with\noperating units\xe2\x80\x99 own control assessments (including those from continuous monitoring efforts),\nwhich identified numerous security weaknesses in 8 of the 10 systems.\n\n\n\n\xc2\xa0\n\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n10\n  \xc2\xa0The\xc2\xa0Department\xc2\xa0has\xc2\xa0not\xc2\xa0yet\xc2\xa0completed\xc2\xa0actions\xc2\xa0in\xc2\xa0response\xc2\xa0to\xc2\xa0our\xc2\xa0recommendation,\xc2\xa0from\xc2\xa0our\xc2\xa0FY\xc2\xa02010\xc2\xa0report,\xc2\xa0to\xc2\xa0\nimprove\xc2\xa0vulnerability\xc2\xa0scanning\xc2\xa0and\xc2\xa0patch\xc2\xa0management\xc2\xa0policies\xc2\xa0to\xc2\xa0ensure\xc2\xa0comprehensive\xc2\xa0identification\xc2\xa0of\xc2\xa0\nvulnerabilities\xc2\xa0and\xc2\xa0timely\xc2\xa0remediation\xc2\xa0of\xc2\xa0software\xc2\xa0flaws.\xc2\xa0\n\n\nFINAL REPORT NO. OIG-12-007-A                                                                                                       7\n\x0c   \xc2\xa0 DEPARTMENT OF COMMERCE\n   U.S.                                                                    OFFICE OF INSPECTOR GENERAL\n\n\nIII.       Deficiencies in the Department\xe2\x80\x99s Plan of Action and Milestones (POA&M)\n           Process Undermine Effective Remediation of Security Weaknesses\n\n       FISMA requires that the Department\xe2\x80\x99s information security program include a process for\n       planning, implementing, evaluating, and documenting actions necessary to remediate security\n       weaknesses. The Department\xe2\x80\x99s mechanism for reporting and tracking IT security weaknesses\n       and corrective actions is the Plan of Action and Milestones (POA&M).\n\n       In our FY 2010 FISMA audit, we found significant deficiencies in the POA&M process that\n       compromise the Department\xe2\x80\x99s ability to effectively track the status of corrective actions.\n       Because POA&M metrics are used as performance measures, for people with significant IT\n       security responsibilities, the lack of integrity controls in the process increases the risk that\n       positive performance ratings may be inappropriately achieved. The Department concurred with\n       our recommendation to revise and implement its POA&M policy to include integrity controls,\n       evidence requirements, and management oversight, but has not yet completed the necessary\n       revisions, which it targets for completion by December 2011.\n\n       In the meantime, we found deficiencies in FY 2011 similar to those we found in FY 2010. These\n       include:\n\n           \xe2\x80\xa2   IT security weaknesses that were not added to POA&Ms, leaving management without\n               knowledge of system risk factors;\n\n           \xe2\x80\xa2   POA&M-listed IT security weaknesses that were closed\xe2\x80\x94indicating that a weakness had\n               been remediated\xe2\x80\x94when, in fact, the weaknesses had not been corrected; and\n\n           \xe2\x80\xa2   remediation plans that lacked interim milestones needed for tracking the progress of\n               mitigations, and little or no progress remediating weaknesses after extended periods (in\n               some cases, over 3 years).\n\n       A system\xe2\x80\x99s POA&M is among three key documents\xe2\x80\x94along with a system security plan and\n       security assessment report\xe2\x8e\xafthat officials use to make risk-based authorization decisions.\n       Without a reliable POA&M process, POA&Ms cannot be counted on to provide an accurate\n       account of remediation measures or a clear estimate of how long systems will be exposed to\n       increased risk before vulnerabilities are reduced or eliminated. Further, these deficiencies\n       corrupt performance measures that rely on POA&M statistics. We look forward to the\n       Department completing its actions in response to our FY 2010 audit report in this area.\n\n       \xc2\xa0\n\n\n\n\n       FINAL REPORT NO. OIG-12-007-A                                                                      8\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                OFFICE OF INSPECTOR GENERAL\n\n\nRecommendations\n\nTo make the Department\xe2\x80\x99s information security program and practices more effective, the\nChief Information Officer should:\n\n    1. Complete actions planned in response to our FY 2010 FISMA audit recommendations,\n       as quickly as possible.\n\n    2. Develop a security planning checklist, or other planning tool, to help system owners and\n       authorizing officials complete and maintain comprehensive security plans.\n\n    3. Determine the feasibility of conducting independent reviews at key steps in the risk\n       management framework to ensure greater rigor and consistency in the security\n       authorization process within the Department\xe2\x80\x99s various operating units. Consideration\n       should be given to creating independent review teams with representatives from\n       different operating units to share best practices and promote consistent application of\n       Department policy and NIST guidance.\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\nFINAL REPORT NO. OIG-12-007-A                                                                    9\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                              OFFICE OF INSPECTOR GENERAL\n\n\nSummary of Agency Comments\nand OIG Response\nIn his response to the draft report findings and recommendations, the Department\xe2\x80\x99s Chief\nInformation Officer concurred and noted that he will work with the operating units to\nimplement the recommendations.\n\n\n\n\nFINAL REPORT NO. OIG-12-007-A                                                              10\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                 OFFICE OF INSPECTOR GENERAL\n\n\nAppendix A: Objective, Scope,\nand Methodology\nOur audit objective was to assess the effectiveness of the Department\xe2\x80\x99s information security\nprogram and practices by determining whether (1) implemented controls adequately protect\nthe Department\xe2\x80\x99s systems and information, and (2) continuous monitoring is keeping\nauthorizing officials sufficiently informed about the operational status and effectiveness of\nsecurity controls. This report describes key issues that require senior managers\xe2\x80\x99 attention.\nWhile we used examples from individual systems to illustrate issues, we did not identify the\nsystems; aggregate results informed our assessment of the overall effectiveness of the\nDepartment\xe2\x80\x99s IT security program. We will submit a separate report to OMB, answering a full\nscope of security-related questions, in further accordance with FISMA requirements.\n\nWe selected a targeted set of 10 systems, which perform critical Department functions within\nthree major bureaus:\n\n    \xe2\x80\xa2   Census Bureau\n\n    \xe2\x80\xa2   National Oceanic and Atmospheric Administration (NOAA)\n\n        o NOAA\xe2\x80\x99s National Environmental Satellite, Data, and Information Service (NESDIS)\n\n        o NOAA\xe2\x80\x99s Fisheries Service\n\n        o NOAA\xe2\x80\x99s National Weather Service (NWS)\n\n    \xe2\x80\xa2   U.S. Patent and Trademark Office (USPTO)\n\nTo assess the effectiveness of the Department\xe2\x80\x99s information security program and practices, we\n\n    \xe2\x80\xa2   assessed a subset of security controls on information system components, conducting\n        vulnerability scans and specifically tailored manual assessments;\n\n    \xe2\x80\xa2   reviewed system-related artifacts, including policy and procedures, planning documents,\n        and other material supporting the continuous monitoring process; and\n\n    \xe2\x80\xa2   interviewed operating unit personnel, including system owners, IT security officers,\n        administrators (network, system, database), and security control assessors.\n\n\xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-12-007-A                                                                   11\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                            OFFICE OF INSPECTOR GENERAL\n\nWe reviewed the Department\xe2\x80\x99s compliance with applicable provisions of law, regulation, and\nmandatory guidance, including\n\n       \xe2\x80\xa2      the Federal Information Security Management Act of 2002\n\n       \xe2\x80\xa2      IT Security Program Policy and Minimum Implementation Standards, U.S. Department of\n              Commerce, introduced by the Chief Information Officer on March 9, 2009\n\n       \xe2\x80\xa2      NIST Federal Information Processing Standards Publications\n\n              o 199, Standards for Security Categorization of Federal Information and Information Systems\n\n              o 200, Minimum Security Requirements for Federal Information and Information Systems\n\n       \xe2\x80\xa2      NIST Special Publications\n\n              o 800-18, Guide for Developing Security Plans for Information Technology Systems\n\n              o 800-37, Guide for the Security Certification and Accreditation of Federal Information\n                Systems\n\n              o 800-37, Revision 1. Guide for Applying the Risk Management Framework to Federal\n                Information Systems11\n\n              o 800-53, Recommended Security Controls for Federal Information Systems\n\n              o 800-53A, Guide for Assessing the Security Controls in Federal Information Systems\n\n              o 800-70, Security Configuration Checklists Program for IT Products\n\n              o 800-115, Technical Guide to Information Security Testing and Assessment\n\nWe conducted our field work from January to August 2011 at Commerce headquarters,\nvarious field offices, and contractor hosting facilities in the District of Columbia, Florida,\nMaryland, and Virginia.\n\nWe performed this audit under the authority of the Inspector General Act of 1978, as\namended, and Department Organization Order 10-13, dated August 31, 2006. We conducted\nthis audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence\nto provide a reasonable basis for our findings and conclusions based on our audit objectives.\nWe believe that the evidence obtained provides a reasonable basis for our findings and\nconclusions.\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n11\n  \xc2\xa0NIST\xc2\xa0revised\xc2\xa0SP\xc2\xa0800\xe2\x80\x9037\xc2\xa0in\xc2\xa0February\xc2\xa02010,\xc2\xa0reframing\xc2\xa0its\xc2\xa0principles\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0its\xc2\xa0Risk\xc2\xa0Management\xc2\xa0\nFramework\xc2\xa0and\xc2\xa0changing\xc2\xa0the\xc2\xa0title\xc2\xa0of\xc2\xa0the\xc2\xa0guidance.\xc2\xa0In\xc2\xa0its\xc2\xa0FY\xc2\xa02011\xc2\xa0FISMA\xc2\xa0reporting\xc2\xa0instructions,\xc2\xa0OMB\xc2\xa0required\xc2\xa0\nfederal\xc2\xa0agencies\xc2\xa0to\xc2\xa0follow\xc2\xa0SP\xc2\xa0800\xe2\x80\x9037,\xc2\xa0Revision\xc2\xa01\xc2\xa0for\xc2\xa0continuous\xc2\xa0monitoring.\xc2\xa0Where\xc2\xa0it\xc2\xa0has\xc2\xa0not\xc2\xa0otherwise\xc2\xa0been\xc2\xa0\nindicated,\xc2\xa0the\xc2\xa0most\xc2\xa0recent\xc2\xa0revision\xc2\xa0was\xc2\xa0consulted.\xc2\xa0\n\n\nFINAL REPORT NO. OIG-12-007-A                                                                                  12\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                            OFFICE OF INSPECTOR GENERAL\n\n\nAppendix B: Agency Response\n\n\n\n\nFINAL REPORT NO. OIG-12-007-A                           13\n\x0c'